11 matches found
EUVD-2019-0650
Malware in sbrugna...
EUVD-2025-15798
Malicious code in bioql PyPI...
OpenPGP.js's message signature verification can be spoofed
Impact A maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result while returning data that was not actually signed. This flaw allows signature verifications of inline non-detached signed messag...
CVE-2025-47934 OpenPGP.js's message signature verification can be spoofed
OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. Startinf in version 5.0.1 and prior to versions 5.11.3 and 6.1.1, a maliciously modified message can be passed to either openpgp.verify or openpgp.decrypt, causing these functions to return a valid signature verification result...
CVE-2024-23953
CVE-2024-23953 affects Apache Hive (LLAP); uses Arrays.equals() in LlapSignerImpl to compare signatures, introducing a timing discrepancy that can enable signature forgery by an authorized user. The issue stems from non-constant-time comparison, where mismatched bytes may reveal information throu...
whatsapp-api-js fails to validate message's signature
Impact Incorrect Access Control, anyone using the post or verifyRequestSignature methods to handle messages is impacted. Patches Patched in version 4.0.3. Workarounds It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is...
CVE-2024-45607 whatsapp-api-js fails to validate message's signature
whatsapp-api-js is a TypeScript server agnostic Whatsapp's Official API framework. It's possible to check the payload validation using the WhatsAppAPI.verifyRequestSignature and expect false when the signature is valid. Incorrect Access Control, anyone using the post or verifyRequestSignature...
SUSE CVE-2017-17847
An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachmen...
Message Signature Bypass
Overview Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as...
Message Signature Bypass in openpgp
Versions of openpgp prior to 4.2.0 are vulnerable to Message Signature Bypass. The package fails to verify that a message signature is of type text. This allows an attacker to to construct a message with a signature type that only verifies subpackets without additional input such as standalone or...
UBUNTU-CVE-2017-17847
An issue was discovered in Enigmail before 1.9.9. Signature spoofing is possible because the UI does not properly distinguish between an attachment signature, and a signature that applies to the entire containing message, aka TBE-01-021. This is demonstrated by an e-mail message with an attachmen...